1 / 140

Clobbering the Cloud!

Clobbering the Cloud!. { haroon | marco | nick } @sensepost.com. a bout: us. {Nicholas Arvanitis | Marco Slaviero | Haroon Meer}. Why this talk ?. This is not the time to split hairs. The LOUD in cLOUD security. A bunch of people are talking about “the cloud”

holt
Download Presentation

Clobbering the Cloud!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Clobbering the Cloud! { haroon | marco | nick } @sensepost.com

  2. about: us {Nicholas Arvanitis | Marco Slaviero | Haroon Meer}

  3. Why this talk ?

  4. This is not the time to split hairs

  5. The LOUD in cLOUD security.. A bunch of people are talking about “the cloud” There are large numbers of people who are immediately down on it: “There is nothing new here” “Same old, Same old” If we stand around splitting hairs, we risk missing something important..

  6. So, what exactly *is* the Cloud?

  7. Cloud delivery models

  8. Why would we want to break it? It will be where the action is.. Insidious the dark side is.. Amazingly we are making some of the same old mistakes all over again We really don’t have to..

  9. What is driving Cloud adoption? • Management by in-flight magazine • Manager Version • Geek Version • Poor history from IT • Economy is down • Cost saving becomes more attractive • Cloud computing allows you to move from CAPEX to OPEX • (Private Clouds?)

  10. A really attractive option EC2 is Cool! Like Crack..

  11. Problems testing the Cloud

  12. Transparency

  13. Compliance in the Cloud “If its non-regulated data, go ahead and explore. If it is regulated, hold on. I have not run across anyone comfortable putting sensitive/regulated data in the cloud” “doesn’t seem to be there as far as comfort level that security and audit aspects of that will stand up to scrutiny” (sic) --Tim Mather: RSA Security Strategist

  14. Privacy and legal issues

  15. Privacy Jim Dempsey (Center for Democracy and Technology): “Loss of 4th Amendment protection for US companies” A legal order (court) to serve data, can be used to obtain your data without any notification being served to you There is no legal obligation to even inform you it has been given

  16. Simple solution.. Crypto Pixie Dust! Would you trust crypto on an owned box ?

  17. Vendor Lock-in Pretty self-explanatory If your relationship dies, how do you get access to your data ? Is it even your data ?

  18. Availability [Big guys fail too?]

  19. Availability [Not Just Uptime!]

  20. Availability [not just uptime!] Account Lockout? “Malicious activity from your account”

  21. Monoculture

  22. Monoculture • MonocultureGate is well known in our circles. • Just viewing that pic resulted in a raised average IQ in this room. • His (their) thesis: “ A monoculture of networked computers is a convenient and susceptible reservoir of platforms from which to launch attacks; these attacks can and do cascade. ” • Most people agreed with Dr Geer (et al) back then.. • Just because its not Windows, doesn’t mean the thesis disappears.

  23. SmugMug Case Study Process 50+ terapixels per day Posterchild of AWS Heavy use of S3 and EC2 Launched 1920 standard instances in one call You don’t get monoculture’er than ~2000 machines that are all copies of the same image.. ASLR Fail .. ?

  24. Extending your attack surface

  25. While we’re talking about phishing…

  26. Trust…

  27. Cloud #fail MediaMax Online Storage – inactive account purging script error whacked active customer accounts Nokia Ovi (like MobileMe) lost 3 weeks of customer data after crash Jan 2009 – SF.com customers couldn’t log in – “core network device failed with memory allocation errors”

  28. But you have to trust someone! <+ben> kostyascloudbreak stuff really scares me <+MH> its impressive for sure, but why would that scare you more than simple Amazon evilness ? (Malfeasance) <+ben> You have to trust someone.. Just like how you trust Microsoft not to backdoor your OS, you trust Amazon not to screw you

  29. Red Herring Alert!

  30. Complete the popular phrase. Trust, but …………… ! Reverse Engineers keep Microsoft honest (or at least raise the cost of possibly effective malfeasance) Even “pre-owned” hardware is relatively easy to spot (for some definition of easy) But how do we know that Amazon (or other big names) “Wont be evil”™

  31. Web Application Security

  32. Using the Cloud.. For hax0r fun and profit: • Dino Dai Zovi vs. Debian • Ben Nagy vs. MS Office • Dmolnar && Zynamics

  33. DDZ vsDebian 1. Populate a distributed queue with strings describing which keys to generate 2. Launch 20 VMs (the default limit) 3. Fetch key descriptors from queue, generate batches of keys, and store in S3 524,288 RSA keys – 6 Hours - $16

  34. Zynamics && DMolnar Zynamics use EC2 to demo software and classify malware, upto ~50k samples/day David Molnar and friends fuzztest Linux binaries, sift results and notify devs, all on EC2

  35. Some of the players

  36. The ones we looked at…

  37. Autoscaling / Usage costing Autoscaling is a great idea for companies.

  38. Can you spot the danger?

  39. Storage as a Service In most cases this is a really simple model Faster Internet tubes is making backing up over tubes reasonable Disk access anywhere is a nice idea All throw crypto-pixieDust-magic words in their marketing documents For good measure all throw in Web based GUI access

  40. Web Apps + File Systems

  41. Amazon EC2 Secure Wiping

More Related